Under existing law, covered entities are required to implement and maintain reasonable security measures to protect sensitive personally identifying information against breaches of security. A covered entity that fails to notify an individual whose sensitive personally identifying information has been exposed in a breach of security commits an unlawful trade practice. This bill would provide that a covered entity commits an unlawful trade practice if the covered entity suffers a data breach that includes sensitive personally identifying information, precise location data, and proprietary network information, and the covered entity did not have reasonable security measures in place at the time of the breach. Section 111.05 of the Constitution of Alabama of 2022, prohibits a general law whose purpose or effect would be to require a new or increased expenditure of local funds from becoming effective with regard to a local governmental entity without enactment by a 2/3 vote unless: it comes within one of a number of specified exceptions; it is approved by the affected entity; or the Legislature appropriates funds, or provides a local source of revenue, to the entity for the purpose. The purpose or effect of this bill would be to require a new or increased expenditure of local funds within the meaning of the section. However, the bill does not require approval of a local governmental entity or enactment by a 2/3 vote to become effective because it comes within one of the specified exceptions contained in the section.

Statutes affected:
Introduced: 8-38-2